KfW-2.6 beta2 in a mixed realm environment, wrong client principal

Jeffrey Altman jaltman at columbia.edu
Tue Jan 20 18:22:28 EST 2004

The new ms2mit uses the "MSLSA:" ccache interface.  It takes the 
contents of the
MSLSA: ccache and copies them into the API:krb5cc ccache.  (or whatever 
the default ccache has)

Therefore, it does copy all of the tickets.  If Windows 2000 reports the 
incorrectly then they will be placed into the ccache incorrectly.  I 
could modify
the ms2mit code to restrict the copy to the single TGT.  However, direct 
of the MSLSA ccache will still have the same problem.

So if it can be addressed it should be addressed in the ccache code 
Or in the GSSAPI code. 

One question is why is the GSSAPI code picking up the wrong ticket?

What is the name of the principal with which you login?  The windows
realm or the mit realm?

Jeffrey Altman

Douglas E. Engert wrote:

>There may be a bug/misunderstanding in W2K which is carried forward 
>into KfW. It looks like the MS code may be reporting the wrong realm
>of the client when returning a ticket with KERB_RETRIEVE_TKT_RESPONSE maybe 
>returning the wrong realm. 
>The KERB_EXTERNAL_TICKET structure says: 
>  KERB_EXTERNAL_NAME structure containing the client name in the 
>  ticket. This name is relative to the current domain. 
>The clue to the problem may be "relative to the current domain"
>what ever that means. 
>We have two realms, ANL.GOV is a W2K domain, and KRB5.ANL.GOV
>is using a MIT 1.2.8 KDC. 
>I logon using Windows login to the local workstation that is
>listed as host/deet22.ctd.anl.gov at KRB5.ANL.GOV
>This causes a TGT and cross realm TGT to be obtained. 
>But notice below that the principal listed for the cross realm
>TGT and the host ticket is listed as b17783 at KRB5.ANL.GOV, rather
>then what is actually in the ticket of b17783 at ANL.GOV
> C:\Program Files\MIT\Kerberos\bin>klist -e
>Ticket cache: API:krb5cc
>Default principal: b17783 at ANL.GOV
>Valid starting     Expires            Service principal
>01/20/04 16:11:50  01/21/04 02:11:50  krbtgt/KRB5.ANL.GOV at ANL.GOV
>        for client b17783 at KRB5.ANL.GOV, renew until 01/27/04 16:11:50
>        Etype (skey, tkt): DES cbc mode with RSA-MD5, DES cbc mode with RSA-MD5
>01/20/04 16:11:50  01/21/04 02:11:50  krbtgt/ANL.GOV at ANL.GOV
>        renew until 01/27/04 16:11:50, Etype (skey, tkt): etype 0, ArcFour with
>01/20/04 16:11:57  01/21/04 02:11:50  host/deet22.ctd.anl.gov at KRB5.ANL.GOV
>        for client b17783 at KRB5.ANL.GOV, renew until 01/27/04 16:11:50
>        Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with RSA-MD5
>The Windows kerbtray.exe lists the client name correctly in the krbtgt/ANL.GOV at ANL.GOV
>and the krbtgt/KRB5.ANL.GOV at ANL.GOV tickets but not in the 
>host/deet22.ctd.anl.gov at KRB5.ANL.GOV ticket. 
>The KRB5.ANL.GOV KDC logs show the client name correctly in the host ticket as 
>b17783 at ANL.GOV
>This was not a problem with the older ms2mit, which only copied the single TGT.
>But KfW appears to copy both TGTs. 
>Some GSSAPI programs when trying to use these tickets fail. If I use Leash and
>give it the b17783 at ANL.GOV and password, the gssapi applications work. 
>So the interpretation of "relative to the current domain" may need to be looked at closely. 

More information about the krbdev mailing list